Helpdesk and IT support staff should find this scenario familiar: a user with a desktop, a laptop, a netbook, a smartphone, and a computer or two at home wants a way to keep their files synchronized across all of them at all times. The rise of cloud services and the bring-your-own-device phenomenon have only reinforced the need to have access to everything from anywhere at all times.

Offering networked storage, VPNs, and collaborative tools like SharePoint can help to alleviate the problem, but these services often lack the automation, reliability, and simplicity that end-users demand. Many cloud services exist to fill this gap, but in so doing expose sensitive data to what many would consider an unacceptable risk. SpiderOak is an attempt to solve those problems by combining the security associated with internal filesharing options with the power of cloud-based file-syncing products.

For most individuals, cloud-syncing software is a great answer to the synchronization problem. The cloud sync field is fiercely competitive, and there are products for just about every usage model. Each of these products has its strong points: Dropbox's user-friendliness, SugarSync's wide support for multiple platforms and its increased customization options, and Box's many enterprise-targeted features. And there are less-directly-comparable cloud products like Apple's iCloud, which integrates tightly with iOS and OS X but requires that developers leverage its APIs; and Microsoft SkyDrive, which is closely tied to Microsoft's Office apps and will likely be the de facto standard cloud storage service in the forthcoming Windows 8.

Despite their differences, these products have one thing in common: employees of the companies that provide them can still access your data.

According to their respective privacy policies, the operators of these services normally only access files in response to a request from law enforcement or something similar. But that capability also leaves this data more susceptible to breaches or other illicit behavior. In an environment where users may upload sensitive information about the business and its clients, storing that information with a third party raises definite security and privacy concerns. System administrators often need to be able to demonstrate to higher-ups (and lawyers) that a data breach or accident on the part of a third party will not expose any sensitive or proprietary data.

SpiderOak tries to address data privacy concerns head-on. The service has a strong privacy policy, and it backs it up with client-side encryption. But does the beefed-up security model that will let IT managers sleep at night come at the expense of user-friendliness?

All four of the products I looked at provide client support for the major desktop and mobile platforms—Windows, OS X, iOS, and Android—and provide Web portals for access to your files for those platforms that don't have their own client. Dropbox and SpiderOak also have Linux clients, and SugarSync is the only product of the four that filled the shrinking Windows Mobile and Symbian niches.

While SugarSync and Box both offer more storage for free, SpiderOak has an advantage in both capacity and price once you start spending money—you can get 100GB from SpiderOak for the price of 50GB from Dropbox and Box or 60GB from SugarSync. And while the other services have maximum capacity limits, SpiderOak will keep doling out storage in 100GB chunks for as long as you’re willing to pay. SpiderOak also offers half-off educational discounts for any user with a valid .edu email address.

All of the services but Box also offer referral programs for their free products: Dropbox gives users 500MB per referral up to a cap of 16GB, while SpiderOak gives out 1GB per referral up to a cap of 10GB. SpiderOak’s refer-a-friend program had a much more generous cap of 50GB until just last month, when abuses of the program led to its downsizing. SugarSync offers 500MB per referral up to a cap of 32GB when your friends open a free 5GB account, and 10GB per referral with no cap when your friends open a paid account.

On paper, SpiderOak stacks up well against the competition. To test its features and ease of use, I’ll primarily be comparing it against Dropbox, which is really today’s standard in terms of market share and ease of use.

Security features

The chief difference between SpiderOak and its competitors for the security and privacy-conscious is in how the services treat user data. Last year, for example, some poorly worded changes to the Dropbox Terms of Service appeared to give the company rights to its users’ intellectual property. While the offending terms were quickly changed, they drew attention to the fact that Dropbox employees can still get file-level access to your data when they deem it necessary (for example, when complying with a request from law enforcement or a DMCA takedown request).

SpiderOak, on the other hand, tells users up front that it never knows a user’s password or encryption keys, preventing anyone at the company from accessing your data for any reason. Both Dropbox and SpiderOak encrypt user data on their servers using 256-bit AES encryption, but SpiderOak takes the extra step of encrypting the decryption key itself. This key can itself only be decrypted with the user’s password, which SpiderOak never knows (the full authentication process is laid out here).

The downside of this scheme is that your data is unrecoverable if you forget your password. But the upside is that you’re absolutely guaranteed security and privacy, a must for individuals and businesses that deal with sensitive data—such as Social Security numbers, financial data, and pretty much anything that schools keep on file about their students. Dropbox offers no such capability, and while some users have used extra software like TrueCrypt to add an extra layer of security to files uploaded to Dropbox, the company doesn’t officially support this solution—since, obviously, using TrueCrypt would also prevent easy file sharing and the use of the Dropbox Web client.

SpiderOak also offers two-factor authentication to paying SpiderOak customers in North America. For the uninitiated, two-factor authentication is a security principle that requires two pieces of information from you before allowing access to a service or resource. You may be familiar with this if you use banking or other financial sites, which often require a PIN or the answer to a secret question in addition to your username and password. In SpiderOak’s case, enabling two-factor authentication will require a code sent to you via SMS as well as your account password every time you log in.

At first glance, what I find strange is the web client showing file names. Their web site states "SpiderOak staff cannot know even the names of your files and folders". However, in order for a web client to display these names, you must be sending your password to the web server in order for it to decrypt the file/folder names. As such, it would seem theoretically possible for them to intercept your password on the server side, and then decrypt your files, correct?

Web client is there just for show. Even spideroak themselves advise against using it as it compromises your security. You should always use the actual client to access your data as it is by far safer.

They had some problems with very slow syncs few months ago but other than that the service has been working perfectly for the year or so I've been using it.

Especially good part is that you can have data replicated to many computers. Only thing you pay is the amount of unique data you have backed up. Excellent as a sync/backup platform and it's actually reasonably secure.

At first glance, what I find strange is the web client showing file names. Their web site states "SpiderOak staff cannot know even the names of your files and folders". However, in order for a web client to display these names, you must be sending your password to the web server in order for it to decrypt the file/folder names. As such, it would seem theoretically possible for them to intercept your password on the server side, and then decrypt your files, correct?

Not necessarily. If decryption is performed at client side, and you are sent an encrypted version of something akin to MFT.

Even if it is the scenario you painted, as long as the server does not save a copy of your password and delete the cache as soon as you log out, I don't see a problem. It's more of a security against 3rd party, e.g. Megaupload style asset seize, rather than someone within the company actively monitoring. Other measures can also prevent in-house on-line eavesdropping.

Web client is there just for show. Even spideroak themselves advise against using it as it compromises your security. You should always use the actual client to access your data as it is by far safer.

Ah yes, I now see that they themselves acknowledge this issue on the linked "Nuts and Bolts" page. Nice to see they're thinking about the same security issues as us.

Although they don't mention it, it would also seem to be the case that when accessing the web client and downloading a file, the file is decrypted server-side and temporarily stored in (encrypted) memory. But again, they acknowledge the web client being weaker, so you should really just never use it to ensure perfect privacy.

I've found SpiderOak to be pretty buggy. For instance, the storage bar is laughably inaccurate. Right now SpiderOak shows about 3 GB of space usage on one machine (which is the correct amount) yet that same machine when viewed from other SpiderOak clients on my account shows using over 7 GB of data.

I previously used SpiderOak because of their zero-knowledge configuration but their app is very rough around the edges and new features are rarely added.

I had multiple instances where upgrading to a new build caused sync to break, necessitating downgrading or waiting for the next build.

Another thing that irked me is that they allow for versioning but the historical versions will count against your quota. To free up space you have to find and delete these files individually from within the app or use the command prompt to batch delete historical versions of all files. This is a ridiculous proposition IMHO.

I've since moved on to Crashplan. $50/year is a small price to pay for the same zero-knowledge policy with many more backup features, better reliability, and unlimited storage. And unlike SpiderOak, Crashplan runs as a system service so you do not have to be logged in for your backup jobs to run.

I've found SpiderOak to be pretty buggy. For instance, the storage bar is laughably inaccurate. Right now SpiderOak shows about 3 GB of space usage on one machine (which is the correct amount) yet that same machine when viewed from other SpiderOak clients on my account shows using over 7 GB of data.

Re: the storage bar, are you storing duplicate versions of files across multiple computers? Because of their space-saving methods, you can be "backing up" 2GB of data, but only actually using 1GB of storage if you're backing up a lot of duplicate files.

The reason whey DropBox has been successful, is that it's simple to use. It also uses much less resources than all of the products listed. Dropbox is a native app on each platform where Spider Oak is java (if memory serves).

I've tried SpiderOak several times over the last year, but it's just too slow. The upload speeds are several times slower than my connection (which is 5 Mbit/s up), and the application also often seems to be really slow, doing mysterious things behind the scenes when I am expecting it to upload my files.

I've been using Wuala instead for over a year, and it works just as well as DropBox (which I used for a while before switching to Wuala). I really think Wuala belonged in this article. Like SpiderOak, they claim that encryption is handled on the client side.

I can definitely see using them for personal data (though I wouldn't use them as they don't have Blackberry support), but I'm still not sold on using them for enterprise data. For one thing I'd be fired if I uploaded files to them, but for most enterprise users, which company lets them take their work onto their home computer? All of the users I have that access work data offsite have laptops with VPN access.

This might be good for some IT managers, but for our high-security business, the hosting company isn't what we're concerned about - it's our own employees. The biggest security risk is almost always your own employees so this, and any cloud storage where our security department or MIS cannot manage, isn't an option. We still have to use Citrix Remote Access. I know it sounds big-brotherish but that's what happens when you have a high-security business.

I'd like to add my voice to the ones that mentioned Wuala here. And, in fact, it is _less expensive_ if you only need, say 50 GB.

Over the last two years I have tried Dropbox, SugarSync and Wuala.

Dropbox is annoying because it forces its share points on you -- unless you go to the hassle of hard links.SugarSync is about as flexible as Wuala and works well, but does't encrypt on the client side.So for me Wuala combined the best features and I canceled my SugarSync account. Now I used Wuala constantly and am very satisfied.

One caveat which applies to all candidates I tested: The Mac OS aliases are a problem. Because their information is partially in the resource fork, they don't work on the sync target. But when you try them there, they are back-synced and also die on the original system! And LNK-files are completely ignored. Well, there's always something…

I tried SpiderOak about a year ago for their backup features. Was not impressed by the client, it was buggy and I ended up going with Zmanda Cloud Backup. I know that's not what's being focused on in this article, but based on my previous experience I don't think I would try them again.

im trying to figure out how to use SpiderOak ios app along with mini keepass on ios/iphone.

that is how i was using dropbox. i put my database file in dropbox and its synced everywhere including iphone. the dropbox ios app recognizes i have mini keepass and im able to "send" the file to mini keepass

SpiderOak, it would be nice if you allowed us to put a 4 digit pin on the iOS app.

I tried SpiderOak a few of months ago and wasn't too impressed with it. From a security perspective it sounds good, but its usability leaves something to be desired and it isn't nearly as simple or user-friendly as Dropbox. It also would send literally hundreds of thousands of HTTP requests per day through my Squid proxy server (sorry, don't have exact numbers any more), while on the other hand Dropbox only sent 1554 requests yesterday from my workstation that is left on 24 hours.

Edit: Forgot to mention the lack of client-side encryption in Dropbox doesn't bother me too much because I keep the really important stuff inside a TrueCrypt container.

im trying to figure out how to use SpiderOak ios app along with mini keepass on ios/iphone.

that is how i was using dropbox. i put my database file in dropbox and its synced everywhere including iphone. the dropbox ios app recognizes i have mini keepass and im able to "send" the file to mini keepass

SpiderOak, it would be nice if you allowed us to put a 4 digit pin on the iOS app.

never mind i figured out how to do this in the spideroak ios app. click the file - open in - mini keepass

SpiderOak - features aside, with a name like that it can never be as competitive as "DropBox", "Box", or "SugarSync". I use DropBox in a business environment, where fickle and curmudgeony users prevail. I can't imagine telling them to install and download something called SPIDER OAK.

I used to use SpiderOak but their pricing structure didn't work for me and the client software was a bit of a hulking juggernaut.

Right now I'm using Dropbox with Boxcryptor. If anyone's using a Truecrypt volume in their Dropbox, switch to Boxcryptor right now. Put files in its virtual drive and it'll encrypt them on-the-fly individually, encfs-style. So much easier than managing Truecrypt volumes.

Also it's nice to have the encryption and uploading being done by two completely separate programs from two separate companies.

You can use a truecrypt volume on Dropbox for your sensitive files You get privacy when you need it along with ease of use when you don't.

This is what I do, although it doesn't handle syncing across multiple machines as well as I'd like. It sometimes decides to reDL the whole 2GB instead of the changes.

I got around that problem by using encfs on linux. It encrypts on a per file basis. It's arguably less secure because of that - you could look at my encrypted directory and tell how many files and probably the actual size of the files - but I think it's worth.

Another problem is that there's no windows client for encfs - though there's an ipad app, boxcrypt, that's supposed to work. Though I still haven't gotten it working right.

im trying to figure out how to use SpiderOak ios app along with mini keepass on ios/iphone.

that is how i was using dropbox. i put my database file in dropbox and its synced everywhere including iphone. the dropbox ios app recognizes i have mini keepass and im able to "send" the file to mini keepass

SpiderOak, it would be nice if you allowed us to put a 4 digit pin on the iOS app.

never mind i figured out how to do this in the spideroak ios app. click the file - open in - mini keepass

Yeah, app functionality and integration is becoming key as I am using more devices. Have Dropbox, SugarSync accounts and have looked at and tried SpiderOak, but can't go all-in with SpiderOak because of the poor mobile app. The hidden gem with Dropbox is the app integration that I am finding. Like you I have apps that are able to store/backup information or databases to my Dropbox account. While I'm sure there are other ways to find and backup that app information, having it that integrated and automatic is a big plus.

For the life of me, I can't figure out why DropBox refuses to provide an enterprise version for in house use.

They may have tried, and enterprise IT simply wasn't interested. I know I wouldn't be...nothing about this product makes me feel any better about letting my users have it on their work devices. I would also be inclined to make sure some level of protection is in place to prevent even getting work data into these services in the first place, ie - blocked at the firewall/filtered/proxied, etc. This is the same point of view we have for all of these third party services, at least in the enterprise shops I am familiar with.

We still support all the gadgets, but generally secure access to company resources via NAC and/or VPN, and then force users through Citrix. That cuts off some more esoteric devices, but our users seem to be ok with it. IS has much better syncing tools, and a much better understanding of what should be shared/synced, and more importantly when it should be shared/synced, than most end users. That is simply a matter of exposure to the right information to make informed decisions. These services allow users to adopt a cavalier attitude towards security and network resource management, which is just as important as security to any large enterprise.

I suppose it wouldn't surprise me much to see smaller places allowing users access to these services, but i think in those cases you are dealing with a fundamentally different set of security and network needs. I obviously can't make blanket statements for enterprise IT, but I work at and get exposed to some larger networks, and these services simply aren't appealing on many points.

All that said, I am an avid dropbox user, and I will surely investigate using SpiderOak and some of the other mentioned services. I think these are great for individuals who want to bring a little slice of big networking home for the family to use. But that's how I see them; handy services that have a subset of the tools an enterprise network would be dealing with, that allows practically anyone their own private cloud. The newer focus on security is an excellent evolution of that idea, just, not ready for the big time yet, imo.

SpiderOak also offers two-factor authentication to paying SpiderOak customers in North America. For the uninitiated, two-factor authentication is a security principle that requires two pieces of information from you before allowing access to a service or resource. You may be familiar with this if you use banking or other financial sites, which often require a PIN or the answer to a secret question in addition to your username and password.

Emphasis mine.

Sorry, this bugs me, but when banks do this it is NOT two-factor authentication. It's one-factor authentication (something you know) twice - like having two passwords. From the description, spideroak seems to use actual two-factor authentication by involving a cell phone (something you have). See the Wikipedia article: http://en.wikipedia.org/wiki/Two-factor ... _questions

P.S.Not sure about the rest of the world, but Canadian banks suck at security, my bank for example limits the password to 8 alphanumeric characters.

I've tried SpiderOak several times over the last year, but it's just too slow. The upload speeds are several times slower than my connection (which is 5 Mbit/s up), and the application also often seems to be really slow, doing mysterious things behind the scenes when I am expecting it to upload my files.

I think you're beginning to hit on the user complexities that the author was mentioning.

Those "mysterious things" happening are ENCRYPTION of YOUR DATA. That takes resources on the server and client, which is why you won't see your full bandwidth while uploading, either.

This might be good for some IT managers, but for our high-security business, the hosting company isn't what we're concerned about - it's our own employees. The biggest security risk is almost always your own employees so this, and any cloud storage where our security department or MIS cannot manage, isn't an option. We still have to use Citrix Remote Access. I know it sounds big-brotherish but that's what happens when you have a high-security business.

I also have worked in heavily-regulated, high-security fields and don't understand this comment. Cloud-anything is completely off limits to high-security IT industries, so why even bother? You either use private clouds or nothing at all. These products will never suit high-security IT as you cannot control WHERE your data is going, encrypted or not, in which case you will fail any IT security audit on the planet.

Andrew Cunningham / Andrew has a B.A. in Classics from Kenyon College and has over five years of experience in IT. His work has appeared on Charge Shot!!! and AnandTech, and he records a weekly book podcast called Overdue.